aushack.com - Vulnerability Advisory ----------------------------------------------- Release Date: 07-Apr-2008 Software: Tumbleweed Communications - SecureTransport FileTransfer http://www.tumbleweed.com/ Description: "Tumbleweed SecureTransport is the industry's most secure Managed File Transfer solution for moving financial transactions, critical business files, large documents, XML, and EDI transactions over the Internet and private IP networks. The SecureTransport managed file transfer suite was built with security in mind from the ground up. SecureTransport provides corporate and government organizations with an enterprise-class managed file transfer service supporting a broad and flexible set of open Internet standards. Winner of the 2006 "Best Intellectual Property Protection" award from SC Magazine, SecureTransport securely manages file transfer at over 20,000 sites around the world. Financial networks use SecureTransport to move billions of dollars in financial transactions daily, and 8 of the top 10 U.S. banks use it to serve tens of thousands of corporate customers. Healthcare providers, payers, producers and clearing houses are linked through SecureTransport, which provides a single, integrated secure file transfer infrastructure for transferring private health information (PHI). And government agencies leverage SecureTransport to share sensitive documents with other agencies." Versions affected: SecureTransport FileTransfer ActiveX Control vcst_eu.dll 1.0.0.5 English. Prior versions, and other language editions (vcst_*.dll), are assumed to be vulnerable. Vulnerability discovered: Buffer Overflow. Vulnerability impact: High - Remote code execution. Vulnerability information: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Tumbleweed Communications SecureTransport FileTransfer ActiveX Control. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. It may be possible to embed into HTML capable email clients. The specific flaw exists within the ActiveX control: DLL: vcst_en.dll CLSID: 38681fbd-d4cc-4a59-a527-b3136db711d3 interface IActiveXTransfer : IDispatch { [id(0x00000007), helpstring("method TransferFile")] HRESULT TransferFile( [in] VARIANT URL, [in] VARIANT hostName, [in] VARIANT localFile, [in] VARIANT remoteFile, [in] VARIANT fdxCookie, [in] long isSecure, [in] long isUpload, [in] int portNo, [in] long isAscii, [in] long shouldPerformMD5, [in] long isCheckpointRestart, [in] int serverPing, [out, retval] VARIANT* errBuffer); }; When a large value is specified for the 'remoteFile' parameter of the IActiveXTransfer.FileTransfer() method, a stack overflow occurs. Exploitation can result in code execution under the context of the current user. Other parameters, such as localFile, fdxCookie and localFile may also vulnerable. Examples: The following HTML will execute calc.exe under Windows 2000 Professional.

Additionally, a Metasploit Framework Module has been written to demonstrate the vulnerability. References: aushack.com advisory http://www.aushack.com/200708-tumbleweed.txt Credit: Patrick Webster ( patrick@aushack.com ) Disclosure timeline: 13-Aug-2007 - Discovered during quick audit. 14-Aug-2007 - Metasploit module developed. 22-Aug-2007 - Notified vendor. 19-Oct-2007 - Vendor patch released. SecureTransport Server 4.6.1 Hotfix 20. 07-Apr-2008 - Disclosure. EOF